revocation certificates

The Kleopatra manual says :

“When OpenPGP certificates have been exported to a public directory server, it is nearly impossible to remove them again. Before exporting your certificate to a public directory server, make sure that you have created a revocation certificate so you can revoke the certificate if needed later.”

But I cannot find any mention of how to make such a certificate. The GpG4win Compendium also refers to CRL’s revocation lists but doesn’t say how to make a revocation certificate.

Maybe I missed a vital clue somewhere but could someone please tell me how prepare a revocation certificate using Kleopatra or otherwise ?

In the command prompt:

C:\Users\Owner>gpg -o revocation_cert.asc --gen-revoke

sec 2048R/GHU8Y7R 2013-01-01 John Q. Public

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:

Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: “John Q. Public
2048-bit RSA key, ID GHU8Y7R, created 2013-01-01

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!


Thanks for this info. I take it that revocation certificates must be made from the command line and cannot be generated through Kleopatra.

yes thanks, this info is interesting, but more generally, where can we find info about command lines functions ?

Try this web page:

Just checked and I could not find a way to generate a revocation certificate through either Kleopatra or Gnu Privacy Assistant. Looks like the command line is the only option here.

Thanks Greg

Although the command “gpg -o revocation_cert.asc --gen-revoke” worked perfectly, I found that I had to enter the directory in which gpg.exe was situated, ie"C:\program files\GNU\gnupg" and not the entry in “C:\users\walmac\appdata\roaming”.

I am using Win 7 so that may be the difference.

A small update on the generation of revocation certificates using a gui - enigmail’s key manager has an easy to use interface and allows generation of revocation certs either when a new key pair is made or later.